Sending too much data over IPv6

1

I have installed fedora 20 in my laptop, and got a problem that the data traffic, especially the sending part, increased heavily (>10MiB/s), while connecting networks with IPv6.

I have tried to use nethogs to find suspicious processes, and got a table like this: 

PID  USER  PROGRAM              DEV  SENT   RECEIVED
?    root  *.*.*.*:*-*.*.*.*:*       0.186  0.000 KB/sec
?    root  *.*.*.*:*-*.*.*.*:*       0.186  0.000 KB/sec
?    root  *.*.*.*:*-*.*.*.*:*       0.186  0.000 KB/sec
......
...

The format of PROGRAM is like two IP adress Connected by a hyphen, e.g. 210.77.27.236:473885-70.39.110.14:80

How should I do to handle it?

Bei Chen

Posted 2015-02-07T16:39:47.280

Reputation: 11

There is no IPv6 traffic shown there! – Michael Hampton – 2015-02-07T20:12:36.550

Answers

1

I don't see any ipv6 addresses here. What you have in your question is:

210.77.27.236:473885-70.39.110.14:80

That clearly shows IP address of client is 210.77.27.236 and source port is bizarre because its invalid. (only should go up to 65K).

The server address is 70.39.110.14 and destination port is 80 (www).

It is not clear if your PC is the server or client in this case, but if you feel this is the cause of your increased bandwidth usage you could be hosting a proxy server or you have a rogue program connecting to a remote server for who knows what purpose.

UPDATE:

Since nethogs isn't helping you narrow down the cause, I suggest using netstat to view all tcp and udp activity.

Try the following command:

 # netstat -atpn

a = is to display all
t = is to display TCP (you should also try with u to display UDP)
p = to display process name for established and listening connections
n = to prevent name resolution since that slows output down.



# netstat -atpn 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name       
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      20519/httpd         
tcp        0      0 0.0.0.0:19025               0.0.0.0:*                   LISTEN      15810/sendmail              
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1668/sshd                                       
tcp        0      0 23.23.16.41:80              19.15.63.42:60172           TIME_WAIT   -                                      
tcp        0      0 23.23.16.41:22              172.218.220.79:58498        ESTABLISHED 30607/sshd

The output will tell you which services are listening for connections (you should disable the ones you do not want), the established sessions, the ones recently closed..etc.. I suspect you will see many with port 80 or port 25 which means your PC has become a proxy server or spam relay. If you do then disable the httpd and email daemons until you can lock them down.

Ricardo

Posted 2015-02-07T16:39:47.280

Reputation: 181

I guessed that it was caused by some rogue programs, so I used nethogs to find their information. Then, I could clean them manually. Unluckily, I haven't gotten any useful information, e.g. PID. Could you give me some advice to catch the rogue programs? Thanks a lot! – Bei Chen – 2015-02-08T03:02:34.917

nethogs is a convenient tool that will show you the traffic in real time by process id. Why isn't it working for you? How did you determine that there was a traffic spike if you can't see it with nethogs? – Ricardo – 2015-02-08T04:11:11.327

There are hundreds of 0.186KB/sec under SENT label as I described above. And the "System Monitor" also provided the running-time data traffic information (Sending > 10MiB/s). – Bei Chen – 2015-02-08T05:50:23.760

you could run a #netstat -atpn and it would show you on the last column the name of the program if the connection is established. If you see hundreds of lines with port 80 either as source or destination then start by shutting down the httpd service and see if that helps. – Ricardo – 2015-02-08T14:17:41.297

I updated my answer above with the netstat command info. – Ricardo – 2015-02-08T14:53:42.383

Asked: 2015-02-07T16:39:47.280

Viewed: 61 times

Active: 2015-02-08T14:53:21.407